Test Lab Guide: Deploying an AD RMS Cluster

Published: June 6, 2012

Updated: July 2, 2012

Applies To: Windows Server 2012

The purpose of this Test Lab Guide (TLG) is to enable you to set up a working Active Directory Rights Management Services (AD RMS) infrastructure in a test environment. During this process you create an Active Directory® domain, install a database server, install the AD RMS server role, configure the AD RMS cluster, and configure an AD RMS-enabled client computer.

Once complete, you can use the test lab environment to learn about AD RMS technology on Windows Server® 2012 and assess how it might be deployed in your organization.

As you complete the steps in this guide, you will:

Prepare the AD RMS infrastructure.

Install and configure AD RMS.

Verify AD RMS functionality after you complete the configuration.

The goal of an AD RMS deployment is to be able to protect information, no matter where it goes. Once AD RMS protection is added to a digital file, the protection stays with the file. By default, only the content owner is able to remove the protection from the file. The owner grants rights to other users to perform actions on the content, such as the ability to view, copy, or print the file. For more information about the business reasons behind an AD RMS deployment, see the white paper "Windows Rights Management Services: Helping Organizations Safeguard Digital Information from Unauthorized Use" (http://go.microsoft.com/fwlink/?LinkId=64636).

Note

This guide is considered the basic AD RMS TLG. All other TLGs developed for AD RMS will assume that this guide has been completed first.

This document contains instructions for extending the Windows Server® 2012 Base Configuration Test Lab Guide (TLG) to include an AD RMS cluster server on the APP1 server computer. In addition to extending APP1 to host the AD RMS server role, you will also need to configure the domain controller (DC1) and a desktop client computer (CLIENT1) As described in the instructions provided with the Base Configuration TLG.

In this guide you will deploy an additional SQL server computer (SQL1) which will be used to support the AD RMS configuration and logging databases, however, you will not need to configure the INET1 or EDGE1 computers from the Base Configuration TLG as they are not required for the purposes of establishing a working lab environment for testing AD RMS deployment.

Important

The configuration of the computers and network in this guide was designed to give you hands-on practice in creating an AD RMS test environment. The design decisions made in this guide were geared toward increasing your hands-on experience and to some degree reflect AD RMS best practices configuration. For full best practices and design and planning information related to AD RMS, see AD RMS Prerequisites (http://technet.microsoft.com/library/dd772659(v=WS.10).aspx), AD RMS Performance and Logging Best Practices (http://technet.microsoft.com/library/dd941633(v=ws.10).aspx) and AD RMS Architecture Design and Secure Collaboration Scenarios (http://technet.microsoft.com/library/dd983947(v=ws.10).aspx).

The test lab configuration demonstrated in this guide extends the Windows Server 2012 Base Configuration TLG by one server computer. The additional computer will serve as a SQL server computer and be named SQL1. There are four major steps in this test lab guide to complete that contain multiple procedures as a part of completing each step.

Complete installation and configuration of DC1, APP1 and CLIENT 1 as described in the Base TLG Configuration.

Configure SQL1 as a SQL server database server.

Install Office 2010 trial version on CLIENT1.

Configure APP1 as the AD RMS root cluster server.

Verify AD RMS functionality at CLIENT1.

We recommend that you first use the steps provided in this guide in a test lab environment. Test lab guides are not necessarily meant to be used to deploy Windows Server features without additional deployment documentation and should be used with discretion as a stand-alone document.

Upon completion of this test lab guide, you will have a working AD RMS infrastructure. You can then test and verify AD RMS functionality as follows:

Restrict permissions on a Microsoft Office Word 2010 document.

Have an authorized user open and work with the document.

Have an unauthorized user attempt to open and work with the document.

The test environment described in this guide includes four computers connected to a private network and using the operating systems, applications, and services summarized in the following table.

The computers form a private intranet and are connected through a common hub or Layer 2 switch. This configuration can be emulated in a virtual server environment if desired. This test lab exercise uses private addresses throughout the test lab configuration. The private network ID 10.0.0.0/24 is used for the intranet. The domain controller is named DC1 for the domain named corp.contoso.com. The following figure shows the configuration of the test environment:

Three computers that meet the minimum hardware requirements for Windows Server 2012.

One computer that meets the minimum hardware requirements for Windows 8.

If you wish to deploy the Base Configuration test lab in a virtualized environment, your virtualization solution must support Windows Server 2012 64-bit virtual machines. The server hardware must support the amount of RAM required to run the virtual operating systems included in the Base Configuration test lab and any other virtual machines that may be required by additional TLGs.

Important

Run Windows Update on all computers or virtual machines either during the installation or immediately after installing the operating systems. After running Windows Update, you can isolate your physical or virtual test lab from your production network.

Note

If you will be installing and using the trial version of Microsoft Office 2010 Professional with the CLIENT1 computer, its best to download and complete the installation process on CLIENT1 while it is still configured with Internet access. Once Microsoft Office 2010 is installed, along with any Office updates and with activation online completed, you can finish configuring CLIENT1 by joining it to the CORP domain and then reconfiguring CLIENT1 to limit network access to only your test lab private network.

Locate your Microsoft Office Professional Plus 2010 product media or optionally, you can download Microsoft Office Professional Plus 2010 for trial installation from the Microsoft Web site. Be sure to download the Professional Plus edition as other editions might not support information rights management (IRM) using AD RMS.

Launch the installer for Microsoft Office 2010 to begin installation.

Click Customize as the installation type, set the installation type to Not Available for all applications except Word 2010, and then click Install Now. This might take several minutes to complete.

Once you have completed the configuration of DC1 using the Base TLG instructions, you will want to configure the following additional user accounts for use with testing your AD RMS installation. The following table lists the user accounts that you will need to create at this time.

In Server Manager, click Local Server in the console tree, then click Tools, and then select Active Directory Users and Computers.

In the console tree, expand corp.contoso.com.

Right-click Users, point to New, and then click User.

In the New Object – User dialog box, type ADRMSSVC in the First name and User logon name boxes, and then click Next.

In the New Object – User dialog box, type a password of your choice in the Password and Confirm password boxes. Clear the User must change password at next logon check box, click Next, and then click Finish.

Perform steps 3-6 for each of the following users: ADRMSADMIN, Nicole Holliday, Limor Henig, and Stuart Railson.

In the Active Directory Users and Computers console, right-click Nicole Holliday, click Properties, type nhollida@cpandl.com in the E-mail box, and then click OK.

Repeat step 1 for Limor Henig and Stuart Railson, using the e-mail addresses for each account from the table.

Close the Active Directory Users and Computers console.

Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

Once you have completed the creating the additional user accounts for your AD RMS infrastructure, you will need to create some additional Active Directory groups to assign users to as well to demonstrate restricted rights and permissions in later steps as you are testing out your AD RMS installation. The following table lists the groups that you will need to create at this time.

In Active Directory Users and Computers console, right-click Users, point to New, and then click Group.

In the New Object – Group dialog box, type Finance in Group name, select the Universal option for Group Scope, and then click OK.

Perform the above steps 1-2 for each of the remaining groups: Marketing, Engineering, and Employees.

Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

Perform the above steps 1-2 for each of the remaining groups: Marketing, Engineering, and Employees.

Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

Finally, add the user accounts to their appropriate groups. In this guide, we will add Nicole Holliday, Limor Henig, and Stuart Railson to the Employees group. Then, we will add Nicole Holliday to the Finance group, Limor Henig to the Marketing group, and finally add Stuart Railson to the Engineering group.

To add the user accounts to their respective groups, you should follow these steps:

In the Active Directory Users and Computers console, double-click Users, and then double-click Employees.

Click Members, and then click Add.

Type nhollida@contoso.com;lhenig@contoso.com;srailson@contoso.com. and then click OK.

Perform the above steps 2 & 3 to add one member to each of the remaining groups as follows:

Nicole Holliday—Finance

Limor Henig—Marketing

Stuart Railson—Engineering

Double-click Enterprise Admins.

Click Members, and then click Add.

Type adrmsadmin@contoso.com. and then click OK.

Close the Active Directory Users and Computers console.

Log out of DC1.

Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

Follow the instructions to complete the installation, specifying a strong password for the local Administrator account. Log on using the local Administrator account.

Connect SQL1 to a network that has Internet access and run Windows Update to install the latest updates for Windows Server 2012.

Tip

To access Windows Update, you can do the following: Type CTRL+ALT+DELETE and then select Task Manager. From Task Manager, click More details. From the File menu, select Run new task. In the Run dialog, type "control", select Create this task with administrative privileges and then click OK. In Control Panel, type in the search box "Windows Update" to return Windows Update. Click Windows Update in the search results and then update your settings to install the latest updates for Windows Server 2012.

Download SQL Server 2012 trial version software to the SQL1 computer.

You can download the Microsoft SQL Server 2012 trial version software from Microsoft SQL Server 2012 Evaluation. To install the trial version later, at a minimum, you will need the following files to be downloaded at this time to a temporary directory on the SQL1 computer: SQLFULL_architecture_language_Lang.box, SQLFULL_architecture_language_Install.exe, SQLFULL_architecture_language_Core.box.

SQL Server 2012 will require that the .NET Framework 3.5 features are first installed. To avoid problem with installing these features later, install these features now while you have Internet access configured for the SQL1 computer.

In Server Manager, click Local Server in the console tree. Click the link next to Wired Ethernet Connection.

Note

The link may not immediately appear. Wait for the network interfaces to be enumerated.

In Network Connections, right-click Wired Ethernet Connection, and then click Properties. Note that the "Wired Ethernet Connection" interface name may be different on your computer.

Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

Select Use the following IP address. In IP address, type 10.0.0.5. In Subnet mask, type 255.255.255.0. Select Use the following DNS server addresses. In Preferred DNS server, type 10.0.0.1.

Click OK and then close the Wired Ethernet Properties dialog.

Close the Network Connections window.

In Server Manager, click Local Server in the console tree. Click the link next to Computer name in the Properties tile.

On the Computer Name tab of the System Properties dialog, click Change.

In Computer name, type SQL1, click OK twice, and then click Close. When you are prompted to restart the computer, click Restart Now.

After restarting, login using the local Administrator account.

Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints. Use the ipconfig /all command to list all the interfaces.

In Server Manager, click Local Server in the console tree. Click the link next to Computer name in the Properties tile.

In the System Properties dialog box, click the Computer Name tab. On the Computer Name tab, click Change.

On the Computer Name tab, under Member of, click Domain, and then type corp.contoso.com.

Click OK.

When you are prompted for a user name and password, type User1 and its password, and then click OK.

When you see a dialog box welcoming you to the corp.contoso.com domain, click OK.

When you are prompted that you must restart the computer, click OK.

On the System Properties dialog box, click Close.

When you are prompted to restart the computer, click Restart Now.

After the computer restarts, click the Switch User arrow icon, then click Other User and log on to the CORP domain with the domain Administrator account.

Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints. Note that you must supply domain credentials after entering the Add-Computer command below.

You will see the Unloading the Box progress dialog box as files and folder structure for setup files are being unpacked. After the files are extracted you will have a subfolder named (such as C:\temp\SQLFULL_architecture_language) containing the installation files for SQL Server 2012.

Navigate to the subfolder and double-click Setup to launch the SQL Server Installation Center. When prompted for administrative credentials to launch SQL Server 2012 Setup provide the current credentials for CORP\Administrator.

In the SQL Server 2012 Installation Center, from the navigation menu on the left, click Installation, and then click New SQL Server installation or add features to an existing installation.

SQL Server 2012 Setup will launch and run Setup Support Rules to determine that all SQL prerequisites have been met.

Click OK after the Setup Support Rules check has successfully completed.

In Product Key, if you are installing a trial version, under Specify a free edition, select Evaluation and then click Next.

In License Terms, read the license terms and then click the I accept the license terms checkbox and then click Next.

In Product Key, if you are installing a trial version, under Specify a free edition, select Evaluation and then click Next.

In Product Updates, SQL Server Setup will not be able to connect to the Windows Update service. Click Next to continue setup and begin installing setup files.

In Setup Support Rules, note the results of the rules check will typically indicate that all pre-checks have passed with warnings about Microsoft .NET Application Security and Windows Firewall. Click Next to continue SQL Server setup.

In Installation Rules, verify that all rules have passed and then click Next.

In Instance Configuration, accept the Default instance, as well as the default values for Instance ID and Instance root directory and then click Next.

In Disk Space Requirements, review the disk space summary for the features selected is sufficient and then click Next.

In Server Configuration, accept the defaults and then click Next.

In Database Engine Configuration, accept the default authentication type (Windows authentication) and then for Specify SQL Server Administrators, click Add Current User to add CORP\Administrator to the list and then click Next.

In Error Reporting, click Next.

In Installation Configuration Rules, verify that all rules have passed and then click Next.

In Ready to Install, review installation selections and then click Install.

Click Close after installation has successfully completed.

Next, because ADRMSADMIN is the account you will be using as well to install and configure AD RMS in Step 2, you will want to add this account to the local Administrators group on APP1 where the AD RMS server is to be located.

Verify that you are logged on as CORP\Administrator to the SQL1 computer.

From the server desktop, open Windows Explorer and then right-click Local Disk (C:).

Point to New, and then click Folder.

Type Public for the new folder, and then press ENTER.

Right-click Public, point to Share with, and then click Specific people.

The File Sharing wizard opens.

For Choose people on your network to share with, click the arrow and select Everyone, and then click Add.

In the list, click the arrow for Permission Level on the group Everyone and select Read/Write.

Click Share, then click Done.

Right-click Public and then click Properties.

On the Sharing tab, click Advanced Sharing, then click Permissions, and then click Add.

In Select Users, Computers, Service Accounts or Groups, type Domain Users and then click Check Names.

Click OK.

On the Share Permissions tab, verify that Domain Users (CORP\Domain Users) is selected in the Group or user name box.

In the Permissions for Users box select the Full Control check box in the Allow column.

Click OK twice and then Close to close file sharing wizard.

Next, we will want to continue working on SQL1 using SQL Server Management Studio and other administrative tools to make some configuration changes to support SQL Server access before we install AD RMS in the next step. First, the ADRMSADMIN account needs to be given SysAdmin rights on the SQL Server instance in order to be able to create the AD RMS databases during AD RMS setup.

While logged on to SQL1 as CORP\Administrator, in Task Manager, from the File menu, select Run new task, type the following to open the Windows Firewall with Advanced Security console and then click OK.

Windows Server 2012 includes the option to install AD RMS as a server role through Server Manager. Both installation and configuration of AD RMS are handled through Server Manager. The first server in an AD RMS environment is the root cluster. An AD RMS root cluster is composed of one or more AD RMS servers configured in a load-balancing environment. This test lab guide will install and configure a single-server AD RMS root cluster.

Log on to the APP1 computer as the AD RMS enterprise administrator (CORP\ADRMSADMIN).

Note

The ADRMSADMIN account was created for use in installing and managing the AD RMS server deployment. To ensure it has sufficient rights to accomplish its purpose, such as the ability to register the service connection point (SCP), it needs to be made a member of the Enterprise Admins group for the corp.contoso.com domain. To install the AD RMS role on APP1, the ADRMSADMIN account also needs to be added to the local Administrators group on APP1. These account and group management details are important to successfully complete the configuration of the AD RMS cluster and allow for further management of the AD RMS server.

In the Dashboard console of Server Manager, click Add roles and features.

When prompted to add features that are required for AD RMS, click Add Features.

In the Select features dialog, select .NET Framework 3.5 Features, and then click Next.

Note

You must install .NET Framework 3.5 prior to installing the Microsoft Report Viewer 2008 used to generate troubleshooting and system health reports on AD RMS in Windows Server 2012.

In Active Directory Rights Management Services, click Next.

In Select role services, verify that Active Directory Rights Management Server is selected, and then click Next.

Click Install to add the role.

Allow the installation to complete and then click Close.

Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

In Windows Server 2012, adding the AD RMS role and configuration of a new AD RMS cluster are two separate processes. After you have completed adding the role, additional configuration is required to deploy the AD RMS role.

For Cluster Address, accept the default (Use an SSL-encrypted connection (https://)), for Fully Qualified Domain Name type in app1.corp.contoso.com and then click Next.

For Server Certificate, accept the default (Create a self-signed certificate for SSL encryption) and then click Next.

Tip

When using a self-signed certificate for the cluster, you can put a copy of that certificate in the Trusted Root Certification Authorities store so that it will be trusted. A copy can also be put in that same certificates store on the client computer so that the web site is trusted.

For Licensor Certificate, accept the default name (APP1) and then click Next.

For SCP Registration, accept the default (Register the SCP now) and then click Next.

For Confirmation, review your installation selections and then click Install.

Click Close.

Log off the server, and then log on again to update the security token of the logged-on user account.

The user account that is logged on when the AD RMS server role is installed is automatically made a member of the AD RMS Enterprise Administrators local group. A user must be a member of that group to administer AD RMS.

Your AD RMS root cluster is now installed and configured.

Once you have completed logging in again, you can further manage AD RMS using the Active Directory Rights Management Services console.

Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

The AD RMS Client 1.0 is included in the default installation of Windows 8. Previous versions of the client are available for download for a number of earlier versions of the Windows operating system. For more information, see the AD RMS Client Requirements.

Before you can consume rights-protected content, you must add the AD RMS cluster URL to the Local Intranet security zone.

Add the AD RMS cluster URL to the Local Intranet security zone for all users who will be consuming rights-protected content.

In the Add this website to the zone, type https://app1.corp.contoso.com, and then click Add.

Click Close.

Tip

You can now verify access to the AD RMS licensing site by typing the URL (https://app1.corp.contoso.com) in the Address bar in Internet Explorer. You should also see a warning about the certificates for this site. That is because of the use of a self-signed certificate when AD RMS was configured. In live deployments, it is recommended that you use a signed certificate issued from a trusted Internet issuing certification authority (CA).

Repeat steps 1–7 for Stuart Railson and Limor Henig.

To verify the functionality of the AD RMS deployment, you will log on as Nicole Holliday and then restrict permissions on a Microsoft Word 2010 document so that members of the Engineering group are able to read the document but unable to change, print, or copy. You will then log on as Stuart Railson, verifying that the proper permission to read the document has been granted, and nothing else. Then, you will log on as Limor Henig. Since Limor is not a member of the Engineering group, he should not be able to consume the rights-protected file.

Note

In this test lab guide, when a user restricts permissions on a document or attempts to open a restricted document, a warning appears that informs you that the certificate issuer for the AD RMS Web site is unknown or untrusted. This warning results from using a self-signed certificate instead of a certificate issued by a recognized certification authority. When you receive this warning, click Yes to continue.

Open Windows Explorer and browse to \\SQL1\Public. Double-click ADRMS-TST.docx to open it in Microsoft Word 2010.

When prompted that this page requires secure connection which includes server authentication, click Yes.

Note that the following message appears: "Permission to this document is currently restricted. Microsoft Office must connect to https://app1.corp.contoso.com:443/_wmcs/licensing to verify your credentials and download your permission."

Click OK.

Note that the following message appears: "Verifying your credentials for opening content with restricted permissions…"

When the document opens, click the File menu. Notice that the Print option is not available.

Close Microsoft Word.

Log off as Stuart Railson.

Finally, log on as Limor Henig and verify that he is not able to consume the rights-protected file.

Open Windows Explorer and browse to \\SQL1\Public. Double-click ADRMS-TST.docx to open it in Microsoft Word 2010.

When prompted that this page requires secure connection which includes server authentication, click Yes.

Note that the following message appears: "Permission to this document is currently restricted. Microsoft Office must connect to https://app1.corp.contoso.com:443/_wmcs/licensing to verify your credentials and download your permission."

Click OK.

The following message appears: "You do not have credentials that allow you to open this document. You can request updated permission from nhollida@contoso.com. Do you want to request updated permission?"

Click No and then close Microsoft Word.

You have successfully deployed and demonstrated the functionality of AD RMS, using the simple scenario of applying restricted permissions to a Microsoft Word 2010 document. You can also use this deployment to explore some of the additional capabilities of AD RMS through additional configuration and testing.